Skip to content

Instantly share code, notes, and snippets.

@grawity

grawity/_Example polkit rules_.md

Last active September 8, 2025 05:24
Show Gist options
  • Save grawity/3886114 to your computer and use it in GitHub Desktop.
Save grawity/3886114 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
_Example polkit rules_.md

Put your rules in /etc/polkit-1/rules.d/*.rules.

See the polkit(8) manpage for rule syntax. (It's JavaScript.)

If you don't know the action name, run pkaction.

To test your rules, use pkcheck.

pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system

Raw
networkmanager-wheel-noauth.js
/* Copy this to /etc/polkit-1/rules.d/80-networkmanager-wheel-without-authentication.rules
*/
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.NetworkManager\./.test(action.id) &&
subject.local && subject.active && subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
Raw
packagekit-restrict.js
/* Copy this to /etc/polkit-1/rules.d/packagekit-restrict.rules
*/
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.packagekit\./.test(action.id)) {
if (subject.local && subject.active && subject.isInGroup("wheel")) {
return polkit.Result.YES;
} else {
return polkit.Result.AUTH_ADMIN_KEEP;
}
}
});
Raw
udisks1-avoid-consolekit.js
/* Copy this to /etc/polkit-1/rules.d/udisks-no-consolekit.rules
*/
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.udisks.filesystem-mount") {
if (subject.isInGroup("wheel"))
return polkit.Result.YES;
else
return polkit.Result.AUTH_ADMIN_KEEP;
} else if (/^org\.freedesktop\.udisks\./.test(action.id)) {
return polkit.Result.AUTH_ADMIN_KEEP;
}
});
Raw
udisks1-wheel-is-god.js
/* Copy this to /etc/polkit-1/rules.d/always-allow-wheel.rules
*/
polkit.addRule(function(action, subject) {
if (/^org\.freedesktop\.udisks\./.test(action.id) && subject.isInGroup("wheel"))
{
return polkit.Result.YES;
}
});
Raw
udisks2-allow-mount-internal.js
/* Copy this to /etc/polkit-1/rules.d/allow-mount-internal.rules
*/
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
action.id == "org.freedesktop.udisks.filesystem-mount-system-internal") &&
subject.local && subject.active && subject.isInGroup("users")) {
return polkit.Result.YES;
}
});
@steve-todorov
Copy link

This is probably the most annoying thing in OpenSUSE - asking for a password for network, hdd mount, etc. Every now and then I have to search for these rules. Thanks for posting them as a gist!

@CMCDragonkai
Copy link

Where do you define how long to keep the authorisation for?

@yssmcl
Copy link

yssmcl commented Jun 24, 2017

Thank you for posting these examples!

@agners
Copy link

agners commented Sep 27, 2019

Note that AUTH_ADMIN_KEEP is kept per process, hence if another process ID is asking for the same action this will lead to a reauthentication.

@SebTM
Copy link

SebTM commented Apr 7, 2022

Is there possibility to ".test()" on a "action.lookup("XYZ")" result? or convert/use another function like indexOf on an action-lookup result?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment